From: PaX Team > Sent: 26 September 2015 14:47 > hi all, > > drivers/usb/host/r8a66597-hcd.c:r8a66597_hub_descriptor can truncate > r8a66597.max_root_hub (of type unsigned int) to an unsigned char: > > desc->bNbrPorts = r8a66597->max_root_hub; > > based on the surrounding code my guess is that max_root_hub can simply > be turned into an unsigned char field as it can't hold a value bigger > than U8_MAX. in fact its value can't be bigger than 7 anyway since > later the code uses it like this: > > desc->u.hs.DeviceRemovable[0] = ((1 << r8a66597->max_root_hub) - 1) << 1; > > can anyone tell me if this analysis is correct? > > FTR, this issue was detected with the upcoming version of the size overflow > plugin we have in PaX/grsecurity and there're a handful of similar cases in > the tree where potentially unwanted or unnecessary integer truncations occur, > this being one of these. any opinion/help is welcome! What do you intend doing to 'fix' these integer truncation warnings? IMHO adding C casts makes the code unreadable and can hide more serious errors. If you want to detect invalid truncations you need a tool that tracks the domain of valid values for integer types. It might need some source code annotation on the definition of fields. David -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
